> - If packagers: > - That's a lot more work, and I think encourages people to be > sloppy.
I believe we should aim for packages not being built by packagers on their systems. > - If autobuilder: > - I think that this hugely increases the risk of releasing a > broken package, if there isn't human intervention. Right > now[1], autobuilder is only used for extremely simple packages. Can we detect enough broken packages automatically? (Other distros run tests after the build.) We had no testing on mips64el, we still have no testing for interactions between Arch and Parabola packages. > - How do we handle signing? Do we pass through the sigs of Arch > developers in any way? Have one key for all packages, make the build server sign the packages that it gets? Use developer keys only for packages sent to the build server? (This is needed to fix the usual missing key issues.) > - Where would it run? That would be a lot of load to put on the > main server. > - We could build a job server, where a packager has a daemon > that gets jobs from the main server, and runs them locally. > That makes signing more complex (each dev needs 2 keys; one > for normal builds, one for autobuilder builds), and means > way more code to be written. This looks too complex, while it won't be simpler with e.g. two central build servers (or one that is easy to replace).
signature.asc
Description: PGP signature
_______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
